Tweet
Tweet

Slide 1

Slide 1 text

Can Request Encryption fix your Web Apps? By Farhan Thakur

Slide 2

Slide 2 text

About Me ● ~ 3.5 years of cyber security experience and 1.5 years of non cyber security experience ● Expertise in Offensive Web Application security. ● Socials - ○ Linkedin - https://www.linkedin.com/in/farhanthakur/ ○ Github - https://github.com/kaminari14

Slide 3

Slide 3 text

Understanding the Demographic

Slide 4

Slide 4 text

Pre Requisites Burpsuite/Reverse Web Proxy Javascript Encryption Concepts

Slide 5

Slide 5 text

Symmetric Encryption

Slide 6

Slide 6 text

Asymmetric Encryption

Slide 7

Slide 7 text

Question? What severity is usually given for SSL pinning bypass?

Slide 8

Slide 8 text

Motivation for using Encryption in Web Applications

Slide 9

Slide 9 text

How many Vulnerabilities can you find?

Slide 10

Slide 10 text

How many Vulnerabilities can you find?

Slide 11

Slide 11 text

Developers Hackers/ Cyber Security VS

Slide 12

Slide 12 text

Does encryption actually fix web app vulnerabilities? ● Client side protection ● Extra Layer of security

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Demonstration ● Bypassing symmetric encryption with Key and IV in Requests ● Bypassing symmetric encryption with key and IV in JS ● Bypassing asymmetric encryption ● Using Burpcrypto ● Bypassing Hybrid encryption

Slide 15

Slide 15 text

Importance of testing Unencrypted Requests in a greybox/whitebox activity

Slide 16

Slide 16 text

Implementation Challenges for a developer

Slide 17

Slide 17 text

Thank You